[00:01.180 --> 00:04.340]  Hello, everybody. Welcome to Lock Bypass Village.
[00:04.340 --> 00:08.020]  My name is Karen, and today I'm going to be taking you through Bypass 101,
[00:08.020 --> 00:10.500]  an introduction to basic bypass methods.
[00:12.780 --> 00:15.960]  So, before we get started, what is bypass?
[00:16.340 --> 00:20.380]  Very often, when people think about physical hacking, they think about show-your-methods,
[00:20.380 --> 00:24.020]  things like lockpicking. However, there are plenty of other methods that can
[00:24.020 --> 00:28.620]  allow people to access locked-out locations, and this is known collectively as lockbypass.
[00:29.460 --> 00:32.400]  So, to get things started, I have a fun video here,
[00:32.400 --> 00:36.500]  which is a really great example of lockbypass. It involves finding a security
[00:36.500 --> 00:40.400]  vulnerability, exploiting it, and then gaining access to areas that should otherwise
[00:40.400 --> 00:41.720]  be locked out.
[00:45.700 --> 00:50.460]  This next video shows what can happen if your security system is poorly designed or poorly
[00:50.460 --> 00:51.500]  thought out.
[00:53.940 --> 00:59.240]  My mom wanted to lock her door. She's got a sliding door.
[01:00.560 --> 01:02.820]  And this was her solution.
[01:09.580 --> 01:11.560]  So, why bypass?
[01:11.820 --> 01:15.420]  Lockbypass often involves ignoring the lock altogether and finding an
[01:15.420 --> 01:19.260]  alternative way to open the door, and sometimes even avoiding having to use the door
[01:19.260 --> 01:23.260]  altogether. Lockbypass methods are used often because they're
[01:23.260 --> 01:27.100]  much faster and more reliable than lockpicking, and they're used much more frequently
[01:27.100 --> 01:31.240]  in physical red teaming. So, as you can see here,
[01:31.240 --> 01:35.100]  we have our agenda for today, and there are a lot of different types of bypass here.
[01:35.240 --> 01:39.060]  In addition, the items that are in bold are available to play as
[01:39.060 --> 01:43.640]  games on our website, bypassvillage.org, so feel free to go check those out.
[01:44.380 --> 01:47.580]  So, let's get started with latch-targeted bypass.
[01:48.200 --> 01:51.040]  Latch-targeted bypass, or carding, targets
[01:51.040 --> 01:55.220]  the latches that hold the door closed. Depending on the orientation of the latch,
[01:55.220 --> 01:59.300]  you can either shove or pull the latch. There's a variety of tools
[01:59.300 --> 02:03.740]  that you can use for this. Most commonly, you'll see latch clips or traveler's hooks,
[02:03.740 --> 02:06.780]  plastic cards, or even a well-bent piece of wire.
[02:07.900 --> 02:11.120]  Circled here in red is what is known as a deadlatch.
[02:11.120 --> 02:15.840]  When the deadlatch is pushed in, it prevents the latch from being pushed in as well.
[02:16.020 --> 02:18.840]  This prevents you from being able to card a door.
[02:21.060 --> 02:23.460]  Here's a quick video demonstration of how
[02:23.720 --> 02:24.920]  a deadlatch works.
[02:27.200 --> 02:31.400]  So as you can see, when the deadlatch is pushed in, you can no longer
[02:31.400 --> 02:35.260]  get the latch into the door. Sometimes
[02:35.260 --> 02:39.400]  the door is installed in such a way that the deadlatch is already in a hole in the strike
[02:39.400 --> 02:43.500]  plate that is in the frame of the door. Other times,
[02:43.500 --> 02:47.480]  the deadlatch is installed almost properly, but you can get it to fall into the hole
[02:47.480 --> 02:51.380]  by shoving, pushing, maneuvering, or shaking the door.
[02:52.520 --> 02:55.520]  This is a deadbolt. They're different from deadlatches,
[02:55.520 --> 02:59.300]  and often you'll see them with a thumb turn on the other side. These prevent you
[02:59.300 --> 03:03.320]  from being able to use latch-targeted bypass techniques, and it also prevents
[03:03.320 --> 03:07.540]  you from using the under-the-door tool. So, the instructions
[03:07.540 --> 03:11.300]  for use for pulling. So first you want to make sure that the deadlatch isn't
[03:11.300 --> 03:15.980]  actuated. After that, you want to place the latch slip tool behind the latch.
[03:16.260 --> 03:19.460]  You then want to wiggle the latch slip to move the latch slowly into
[03:19.460 --> 03:23.360]  the door. And then, without removing the tool from holding in the latch,
[03:23.360 --> 03:27.020]  you want to pull the door open. Here's a quick video demo
[03:27.020 --> 03:29.720]  of how to do it.
[03:33.930 --> 03:38.330]  So as you can see, the door is locked, and we take our bypass tool
[03:38.330 --> 03:41.630]  and we put it behind the latch,
[03:42.710 --> 03:46.310]  and then we slowly wiggle it back and forth, slowly moving
[03:46.310 --> 03:50.230]  the latch into the hole in the door. And thus, it can be pulled
[03:50.230 --> 03:54.490]  open. So what exactly
[03:54.490 --> 03:58.190]  is happening here? Pretty much what the tool does is it
[03:58.190 --> 04:02.010]  takes advantage of the fact that the latch is at an angle,
[04:02.010 --> 04:06.390]  and it follows that angle to slowly push the latch into the hole
[04:06.390 --> 04:07.670]  in the door.
[04:10.130 --> 04:14.190]  So, for shoving. First, again, you want to ensure that the deadlatch is
[04:14.190 --> 04:18.290]  not actuated. Once you've done that, you want to shove the shoving tool between
[04:18.290 --> 04:22.330]  the latch and the strike plate. And then, without removing the tool from holding in
[04:22.330 --> 04:26.410]  the latch, you want to pull the door open. Again, here's a quick video
[04:26.410 --> 04:29.710]  demonstration of exactly how to do it.
[04:30.430 --> 04:34.110]  So you can see he has the thin plastic card here,
[04:34.110 --> 04:38.230]  and that the door is locked. You maneuver
[04:38.230 --> 04:42.570]  the card between the door latch and the strike plate,
[04:42.570 --> 04:44.850]  and you can push it open.
[04:46.710 --> 04:48.850]  So, again, how exactly does this
[04:48.850 --> 04:52.830]  work? Pretty much what you do is
[04:52.830 --> 04:56.830]  you take this latch, and, again, you're taking advantage of the angle of the
[04:56.830 --> 05:01.170]  latch. And this card slowly pushes the latch into the hole,
[05:01.170 --> 05:03.270]  allowing the door to be pulled open.
[05:06.170 --> 05:08.810]  So, again, here's a quick little visual
[05:08.810 --> 05:12.950]  demonstration for you guys. Have you been curious about
[05:12.950 --> 05:16.990]  wanting to try to make your own? We have several DIY Bypass Tools
[05:16.990 --> 05:20.930]  workshops over the DEF CON weekend, so here's the information there, so be
[05:20.930 --> 05:24.730]  sure to check that out. It'll be going over a variety of different physical
[05:24.730 --> 05:28.890]  Red Team tools, and how to make them using things you probably already have at home.
[05:29.790 --> 05:32.930]  In addition, there's also a game. We have a latch-slipping
[05:32.930 --> 05:36.890]  game at BypassVillage.org. So it's an interactive game where you can latch-slip
[05:36.890 --> 05:40.890]  doors, and there's varying levels of difficulty. Next, we'll
[05:40.890 --> 05:44.870]  be discussing handle-targeted bypass. Sometimes the dead latch
[05:44.870 --> 05:49.450]  is actuated, and the door absolutely cannot be carded. But there is still hope.
[05:49.450 --> 05:52.730]  There does exist lock-bypass methods that target the handle of the door
[05:52.730 --> 05:56.870]  instead of the latch. This method mimics a person exiting through the door from the other
[05:56.870 --> 06:00.850]  side. So, the under-the-door tool allows
[06:00.850 --> 06:04.850]  us to access areas that do have properly functioning dead latches.
[06:04.850 --> 06:08.290]  This bypass method targets doors that have lever-type handles.
[06:08.990 --> 06:12.330]  The tool itself is thick wire, about 5 feet long, with
[06:12.330 --> 06:16.350]  string tied to the end. The tool is measured against the door handle and bent into
[06:16.490 --> 06:20.570]  a hook shape at the top. As I mentioned before,
[06:20.570 --> 06:24.250]  this bypass method targets doors that have lever-type handles.
[06:24.350 --> 06:28.890]  In addition, you'll also need enough room under or beside the door to fit the tool.
[06:29.030 --> 06:32.410]  As you can see here with different types of levers, S-type levers
[06:32.410 --> 06:36.530]  and T-type levers are the easiest to use this bypass on, with U-type
[06:36.530 --> 06:39.390]  and Q-types being much more challenging.
[06:40.150 --> 06:43.570]  So, here's a quick video demonstration of how it's done.
[07:22.020 --> 07:22.500]  And...
[07:22.500 --> 07:24.700]  one more time, here's how it's done.
[07:24.700 --> 07:29.040]  In this video, I'm going to show you how to use an under-the-door bypass tool.
[07:29.080 --> 07:32.600]  They allow us to gain entry through doors with locked door handles.
[07:33.300 --> 07:37.040]  First, the tool is slid through the gap between the door and the floor.
[07:37.040 --> 07:41.160]  It is then maneuvered onto the inside door handle and pulled downwards, replicating
[07:41.160 --> 07:44.180]  the motion of someone opening the door from the inside.
[07:46.760 --> 07:48.360]  There you go, nice and easy.
[07:48.360 --> 07:52.300]  So, step-by-step, what you want to do is you want to insert the tool under the
[07:52.300 --> 07:56.740]  door, and then maneuver the tool until the top hook rests behind the door handle.
[07:56.760 --> 08:00.400]  You then move the tool to the end of the handle and pull on the string, actuating
[08:00.400 --> 08:04.360]  the lever. Again, I'm going to plug
[08:04.360 --> 08:08.380]  our DIY bypass tools workshop. In the workshop, we will be covering
[08:08.380 --> 08:12.400]  how to make this tool, and again, this will be using materials that you probably
[08:12.400 --> 08:16.900]  already have at home. Alright, let's talk about doorknobs.
[08:17.620 --> 08:19.780]  Doorknobs are often very difficult to bypass.
[08:20.160 --> 08:24.960]  Thankfully, they're slowly being phased out of use, but you may still encounter some of them in the wild.
[08:25.460 --> 08:28.560]  The tool for this bypass is a bent piece of wire, which is used to
[08:28.560 --> 08:32.420]  deposit a piece of string onto the doorknob. Tape, rubber, or other
[08:32.420 --> 08:35.880]  materials can be added to the string to help increase friction on the doorknob.
[08:35.880 --> 08:40.580]  So, on this image, I have some tape. So here's the tool again,
[08:40.580 --> 08:42.420]  but from slightly different angles.
[08:44.880 --> 08:48.600]  And as you can see, the wire is meant to go around the frame and
[08:48.600 --> 08:52.580]  have access to the front of the door. So, the
[08:52.580 --> 08:56.540]  requirement for this bypass method is a doorknob, of course. And,
[08:56.540 --> 09:00.460]  similar to the under-the-door tool, you also need enough room under or beside the door
[09:00.460 --> 09:04.440]  to fit the tool. So, the instructions for use are very
[09:04.440 --> 09:08.820]  simple. The tool is used to deposit this piece of string onto the doorknob,
[09:08.820 --> 09:12.800]  at which point the wire piece is removed, and then the string is pulled
[09:12.800 --> 09:16.520]  back and forth, creating tension, which slowly turns the doorknob.
[09:17.160 --> 09:20.060]  So, here's a quick little video demo for you guys.
[09:20.660 --> 09:24.900]  So, as you can kind of see, the tool is slowly being moved up the side of the
[09:24.900 --> 09:29.540]  door, and the string has tape attached to it to increase the friction on the doorknob.
[09:30.340 --> 09:32.960]  Once the tool is high enough, the string is
[09:32.960 --> 09:36.700]  maneuvered so that it lands over the doorknob.
[09:45.190 --> 09:47.810]  And then, both sides of the string are
[09:47.810 --> 09:51.630]  pulled back and forth to create friction, which then unlocks the door.
[09:55.180 --> 09:57.120]  Again, a little closer, you can see
[09:57.120 --> 10:01.120]  the friction on the doorknob as it slowly turns.
[10:03.360 --> 10:05.280]  Next is crash bars.
[10:06.680 --> 10:09.400]  Crash bars, not to be confused with push bars, are
[10:09.400 --> 10:13.440]  relatively simple in concept. The bar across the crash bar pushes down and
[10:13.440 --> 10:17.260]  unlocks the door. The tool for this is very
[10:17.260 --> 10:21.440]  similar to the under-the-door tool. The wire is cleverly bent and
[10:21.440 --> 10:25.140]  with some string used to actuate the crash bar and unlock the door.
[10:26.440 --> 10:29.380]  The requirements for this is a crash bar on the other side of the door
[10:29.380 --> 10:32.440]  and, again, enough room beside the door to fit the tool.
[10:33.920 --> 10:37.320]  So, to use this tool, you want to insert the tool through the side of the door,
[10:37.320 --> 10:41.460]  or start at the bottom and move up depending on how much room you have on the side of the door,
[10:41.460 --> 10:45.920]  and then rotate the hook until the hook lands on the crash bar. Once it's on the crash bar,
[10:45.920 --> 10:49.580]  you can pull down the string, which pulls the crash bar towards the door and unlocks it from the
[10:49.580 --> 10:53.600]  inside. So here's a quick demo video to demonstrate how
[10:53.600 --> 11:01.420]  this tool works. So,
[11:01.420 --> 11:05.220]  once I get it up the door frame, it hooks
[11:05.220 --> 11:08.480]  onto the bar of the crash bar,
[11:10.080 --> 11:13.440]  and then you can pull on the string, and it'll
[11:13.440 --> 11:17.840]  open the door. So, again, step by step,
[11:17.840 --> 11:21.560]  you want to get the tool into the side of the door and up,
[11:21.980 --> 11:25.440]  and then once it's high enough, you hook it onto the
[11:25.440 --> 11:29.640]  frame of the crash bar, and then you pull on the string, which pulls it towards
[11:29.640 --> 11:33.200]  the door. Now let's talk about push bars.
[11:33.720 --> 11:37.560]  Push bar-targeted bypasses tend to be more difficult due to there being less things
[11:37.560 --> 11:41.420]  for tools to hook onto. Often, the best bypass for a push bar is a
[11:41.420 --> 11:44.360]  latch-charging one, but this isn't always possible.
[11:45.300 --> 11:49.380]  So, the tool for this bypass is a piece of string. Optional
[11:49.380 --> 11:53.920]  is stiff wire or sticks for positioning the string, ideally in a hook or an L-shape.
[11:54.920 --> 11:57.340]  For this bypass method to work, the push bar must
[11:57.340 --> 12:01.120]  be either on a door with holes, or with room above and below the door.
[12:02.220 --> 12:05.360]  Pretty much how this bypass works is you feed the string through the
[12:05.360 --> 12:09.300]  top of the door or through a hole above the push bar, use the wire pieces to move
[12:09.300 --> 12:13.900]  the string over the push bar and through the bottom of the door, or through a hole below the push bar,
[12:13.900 --> 12:17.220]  and then you grab both pieces of the string and you pull. And this pulls
[12:17.220 --> 12:21.220]  the push bar towards the door, thus actuating it as if someone
[12:21.220 --> 12:24.480]  were exiting from inside, and unlocks the door.
[12:25.500 --> 12:28.640]  This next bypass is pulling really hard.
[12:29.000 --> 12:33.380]  So, pulling really hard is a long-standing tradition of physical hackers, and there
[12:33.380 --> 12:37.300]  are a lot of doors that are loose in the frame and can be pulled open with a strong enough arm.
[12:37.820 --> 12:41.680]  This is the easiest bypass method to pack for, all you need is a
[12:41.680 --> 12:45.620]  reasonably strong pair of arms. So, not all doors
[12:45.620 --> 12:49.480]  can be pulled open this way, but a surprising number of them can be. You want to look
[12:49.480 --> 12:54.400]  for springy, loose-in-the-frame kind of doors that have an amount of flex when you pull on them.
[12:54.400 --> 13:00.000]  Multibank doors often do have at least one door that is pullable.
[13:00.000 --> 13:02.800]  So, here's the instructions for use.
[13:02.800 --> 13:05.480]  Very complex, very difficult, so just feel free to take your time
[13:05.480 --> 13:09.540]  going over that. The next bypass I'm going to be talking about
[13:09.540 --> 13:13.740]  is removing the hinges. So, sometimes the easiest way to unlock a
[13:13.740 --> 13:17.800]  door is to not unlock it at all. Some doors are installed with the hinges backwards,
[13:17.800 --> 13:21.980]  which allow you to unscrew the door from the frame and take the door off the hinges.
[13:21.980 --> 13:25.800]  The tool for this is obviously a screwdriver. For this to work,
[13:25.800 --> 13:29.840]  the screws of the door hinges must be exposed and accessible.
[13:29.840 --> 13:33.540]  And it's pretty self-explanatory how to do this. You unscrew the hinges, and then
[13:33.540 --> 13:37.640]  you remove the door, and boom, you can enter. However, seeing hinges
[13:37.640 --> 13:41.460]  installed like that are not very common. However,
[13:41.460 --> 13:45.500]  doors that have the pin of the hinge exposed are very common. This pin
[13:45.500 --> 13:49.160]  can be removed and then allow the door to once again come off of the frame.
[13:49.500 --> 13:53.400]  The tool for this is a screwdriver or a nail, a hammer, and then
[13:53.400 --> 13:57.640]  optional but recommended vice grips. For this to work, the door
[13:57.640 --> 14:01.480]  must be an outward-swinging door with exposed hinges. And in addition,
[14:01.480 --> 14:05.300]  this will not work on security hinges, so things like set screws or stud hinges.
[14:06.580 --> 14:09.440]  So, how this works is if there is a decorative bottom
[14:09.440 --> 14:13.580]  cap, you can remove it with a screwdriver and hammer, and then once you've done
[14:13.580 --> 14:17.840]  that, you place the screwdriver under the hinge with the point touching the bottom of the hinge pin.
[14:17.980 --> 14:21.380]  Then you can use your hammer to gently tap the screwdriver until the pin can be
[14:21.380 --> 14:25.460]  pulled out. After you've finished that, you want to repeat that with the other hinge, and then you
[14:25.460 --> 14:29.680]  can remove the door. Here's a quick little demo video for you guys.
[14:33.440 --> 14:35.000]  So we gently tap it
[14:35.800 --> 14:39.400]  to have the hinge pin come out of the hinge.
[14:40.700 --> 14:43.900]  And once it's out enough, you can use the vice grips
[14:43.900 --> 14:48.240]  to pull it out the rest of the way. And then again, you want to repeat this
[14:48.240 --> 14:49.860]  with the other hinge pin.
[14:53.420 --> 14:55.920]  And once it's out enough,
[14:55.920 --> 14:58.740]  you want to take your vice grips and you can pull it out.
[14:59.520 --> 15:02.460]  And now that both hinges have their hinge pins removed,
[15:02.460 --> 15:07.200]  you can gently move the door out of the door frame.
[15:08.940 --> 15:10.920]  And boom, you have entry.
[15:14.420 --> 15:14.920]  Next,
[15:14.920 --> 15:18.800]  let's talk about padlock shims. So, these are padlock shims, and they
[15:18.800 --> 15:22.700]  can be bought online in plastic or metal versions. You can also make your own at
[15:22.700 --> 15:26.820]  home using aluminum cans. So, this is how
[15:27.040 --> 15:31.120]  a padlock works in normal operation, when you have a key and you're unlocking it.
[15:32.080 --> 15:35.220]  Padlock shims take advantage of the mechanisms inside of padlocks
[15:35.220 --> 15:38.840]  and force the mechanisms together that hold the shackle down,
[15:38.840 --> 15:42.820]  allowing you to pull it open. Of course, this doesn't work on all padlocks, and there
[15:42.820 --> 15:46.820]  are padlocks now that are designed to specifically prevent them from being used,
[15:46.820 --> 15:50.740]  but you would be surprised at the number of padlocks that are still in use
[15:50.740 --> 15:55.020]  that this can be used on. Again, I'm going to plug our DIY
[15:55.020 --> 15:59.020]  Bypass Tools Workshop, and they'll be going over how to make
[15:59.020 --> 16:02.520]  these and a lot of other tools as well, so drop by if you can.
[16:03.960 --> 16:07.620]  Now, let's talk about bypassing button-push combination boxes.
[16:08.180 --> 16:10.940]  So, button-push combination boxes allow access without
[16:10.940 --> 16:15.020]  needing to have a physical key. There are also boxes that can contain keys inside
[16:15.020 --> 16:19.360]  of them. I'm sure you've seen these before in communal spaces, apartments, things like that.
[16:19.360 --> 16:23.660]  And I'm sure you've seen boxes like this outside of areas that have a lot of storefronts.
[16:23.660 --> 16:27.700]  So these are used because when a company, an employer,
[16:27.700 --> 16:31.500]  needs to provide access to a store for a whole bunch of people,
[16:31.500 --> 16:35.720]  but doesn't want to create a key for every single person, what they'll do is they'll have one
[16:35.720 --> 16:40.280]  key, and they'll put it inside of this box, and then give each opening employee the combination.
[16:40.560 --> 16:43.640]  Then, they can use the key to unlock the door, put it back, and leave it
[16:43.640 --> 16:47.660]  for the next person to use. So, you can use UV
[16:47.660 --> 16:51.560]  ink or powder, and you can use that to figure out which buttons are being used to
[16:51.560 --> 16:55.520]  unlock the door. Using a UV light and a little bit of patience, you can reduce
[16:55.520 --> 16:58.680]  the number of possible combinations enough that you can brute force it.
[16:59.300 --> 17:03.640]  So, how you do this is you apply UV ink or powder to all of the buttons on the box,
[17:03.640 --> 17:07.480]  and then you wait for the lock to be used a few times. As people use it, the ink
[17:07.480 --> 17:12.040]  will rub off of the buttons. After a while, you can return with a UV light.
[17:12.040 --> 17:15.860]  The buttons used to unlock the box will have less ink on them than the others.
[17:16.200 --> 17:19.760]  Then, you can try all of the possible combinations with the inkless buttons.
[17:21.040 --> 17:23.880]  In addition to that, depending on the UV ink or
[17:23.880 --> 17:27.700]  powder that you use, it's possible for pigment to transfer from one button to another
[17:27.700 --> 17:31.740]  when someone's unlocking the box. You can use this to figure out the combination order without
[17:31.740 --> 17:35.940]  brute forcing the combination. And then, sometimes
[17:35.940 --> 17:39.200]  you don't even need to use a UV light to figure out the combination if
[17:39.760 --> 17:43.240]  anybody out there could guess how to unlock this lock.
[17:44.180 --> 17:47.920]  In addition to that, these are simplex locks, and
[17:47.920 --> 17:51.940]  when they come from the factory, their default code is pressing 2 and 4 at the same time
[17:51.940 --> 17:56.080]  and then 3. Very frequently, people will not bother to set a new combination
[17:56.080 --> 17:59.920]  and so there's a lot of simplex locks out there that still
[17:59.920 --> 18:04.060]  use that default code. And there's a game
[18:04.060 --> 18:08.020]  for it! So we've made a really, really cool button push combination lock game
[18:08.020 --> 18:12.060]  and they have several different button push combination locks to try
[18:12.060 --> 18:15.720]  out, and it's a really fun interactive game. You get UV
[18:15.720 --> 18:20.260]  ink and UV light, and it's a really good time, so head over to bypassvillage.org
[18:20.260 --> 18:23.560]  and go and try that out! Next, let's talk about
[18:23.560 --> 18:27.640]  hacking EnterPhones. So I'm sure you've seen these around before, but EnterPhones are
[18:27.640 --> 18:31.800]  devices that are used to let people into buildings, most commonly apartments, condos,
[18:31.800 --> 18:35.820]  and high-rises of that sort. They allow visitors to contact someone that lives in the
[18:35.820 --> 18:39.820]  building, who can then remotely unlock the door to let them in. There's a few
[18:39.820 --> 18:43.740]  major companies that make EnterPhones, and they're often key-to-like,
[18:43.740 --> 18:47.620]  meaning that one key can open all the EnterPhones made by the same company.
[18:49.280 --> 18:51.700]  So, what you want to do is you want to open the
[18:51.700 --> 18:56.000]  EnterPhone panel using the corresponding key, and you want to find the unlocking mechanism.
[18:56.320 --> 18:59.620]  Once you've found the unlocking mechanism, you want to use something conductive to jump
[18:59.620 --> 19:03.720]  through the mechanism. At that point, the door should unlock as if someone from inside buzzed
[19:03.720 --> 19:07.560]  you in. So, here's a quick little video on an EnterPhone
[19:07.560 --> 19:08.300]  bypass.
[19:08.300 --> 19:08.800]  ...
[19:22.120 --> 19:25.240]  And, similar to the combination
[19:25.240 --> 19:29.160]  boxes, there is a game for this as well. So, if you've always wanted to try your
[19:29.160 --> 19:32.840]  hand at EnterPhone hacking, now's a really great opportunity to do so.
[19:34.140 --> 19:37.160]  The next bypass method I'm going to be talking about is wheelchair
[19:37.160 --> 19:41.080]  buttons and request exit sensors. So, wheelchair buttons
[19:41.080 --> 19:45.120]  allow the door to automatically open when the button's pressed. Sometimes,
[19:45.120 --> 19:49.160]  the button is installed so that it'll unlock and open the door, regardless of if the
[19:49.160 --> 19:53.180]  door should be locked otherwise. So, I have this great little clip here for you
[19:53.180 --> 19:57.320]  guys. So, as you see, the door is locked, but
[19:57.320 --> 20:00.880]  with a push of the wheelchair button, it's open.
[20:02.380 --> 20:04.960]  In addition to wheelchair buttons, there also exist
[20:04.960 --> 20:09.060]  request exit sensors. So, these are installed for the convenience of people that are
[20:09.060 --> 20:13.060]  inside exiting the building. Some are set up so that they automatically open
[20:13.060 --> 20:16.960]  as you approach them from the inside, but some just unlock and allow the person
[20:16.960 --> 20:21.060]  that's inside to exit the building. If you can trick the sensor into thinking that there's someone
[20:21.060 --> 20:25.220]  inside that wants to exit, then it'll unlock itself, allowing you access.
[20:25.560 --> 20:29.140]  So, here's a great clip from the YouTube channel WeHackPeople
[20:29.140 --> 20:33.060]  where they pass the sensor using canned air.
[20:34.060 --> 20:34.500]  ...
[20:41.350 --> 20:41.790]  ...
[20:45.310 --> 20:48.130]  Next, I'm going to be talking about elevators.
[20:48.590 --> 20:52.110]  So, elevators are pretty much everywhere nowadays, and
[20:52.110 --> 20:56.030]  very often in buildings and high-rises and things like that, there will be
[20:56.030 --> 21:00.270]  floors that are locked out and require a keycard or a fob or something to get into,
[21:00.270 --> 21:03.970]  whether that's through the stairway or through the elevator. Luckily, there are
[21:04.070 --> 21:07.930]  a lot of ways to bypass these, and you can get to lockout floors through elevator hacking.
[21:08.530 --> 21:12.070]  So, this is our elevator panel, and pretty much this is where we're going to be
[21:12.070 --> 21:16.090]  spending a large part of our time. So, common keys.
[21:16.090 --> 21:19.670]  A lot of elevator keys for various service modes are standardized, so
[21:19.670 --> 21:23.810]  here's a list of some of the more common ones. I recommend you look into these
[21:23.810 --> 21:27.930]  at your leisure. And these elevator keys can allow you to use special service
[21:27.930 --> 21:31.970]  modes, so things such as independent service mode, inspection service mode, attendant service mode,
[21:31.970 --> 21:36.170]  and fire service mode, which give you a lot more access privileges than you would
[21:36.170 --> 21:40.050]  when it's running in normal service mode. In addition to
[21:40.050 --> 21:44.070]  using common keys, you can also jumper and short the elevator panel. So,
[21:44.070 --> 21:48.030]  electronics runoff of signals representing open and shorted, and if we can trick
[21:48.030 --> 21:52.670]  this elevator into thinking that an open signal is being sent when it's not, or the other way around,
[21:52.670 --> 21:56.010]  then we can get it to behave the way that we want it to. So, we accomplish
[21:56.010 --> 21:59.930]  this by jumpering or shorting connections that are in the elevator panel. So,
[21:59.930 --> 22:04.230]  to do this, you want to disconnect the panel, whether that's unscrewing it, coaxing it open, etc.,
[22:04.230 --> 22:08.090]  and then you want to find the thing that you want to bypass. At this point,
[22:08.090 --> 22:11.970]  it makes sense to identify the state of the mechanism. So, if the mechanism is open, then you
[22:11.970 --> 22:16.050]  want to short it, and vice versa. So, to short it, you want to use something conductive,
[22:16.050 --> 22:19.870]  whether that's wire, keys, alligator clips, anything of that sort, to connect both
[22:19.870 --> 22:23.970]  terminals. If you want to open the circuit, then you want to disconnect the leads or snip
[22:23.970 --> 22:27.930]  the wires. If you're unable to determine the state of the mechanism, then it is
[22:27.930 --> 22:31.910]  safe to attempt both methods. So, again,
[22:31.910 --> 22:35.970]  you want to take a look at it, and if your mechanism
[22:35.970 --> 22:39.990]  is shorted, then you want to disconnect the leads or snip the wires. And then
[22:39.990 --> 22:43.990]  if the mechanism is open, you want to short the mechanism by using something conductive to connect
[22:43.990 --> 22:48.030]  both of the terminals. So, there's a game!
[22:48.090 --> 22:51.710]  So, if you head over to bypassvillage.org, we have a nice little elevator
[22:51.710 --> 22:56.070]  hacking game that you can try out, and you can learn a bit more about elevator
[22:56.070 --> 23:00.330]  hacking in a safe environment. Another method
[23:00.330 --> 23:03.970]  of bypass through elevators is hoistway access.
[23:04.010 --> 23:07.810]  So, hoistway access, or getting on top of an elevator car and controlling it from there,
[23:07.810 --> 23:12.050]  is another way that you can access locked out floors using an elevator. I'm not going to be
[23:12.050 --> 23:16.010]  going more in depth for this today, because this talk is being recorded and put on the
[23:16.010 --> 23:19.850]  internet, but if you come out to our elevator hacking talk next year at Bypass Village,
[23:19.850 --> 23:23.790]  it will be covered. Next, let's talk about
[23:23.790 --> 23:28.150]  unlocked or improperly locked doors. Now, this sounds like it'd be very obvious,
[23:28.150 --> 23:31.910]  but you'd be surprised at the number of doors that are left unlocked or completely open.
[23:31.950 --> 23:35.810]  There's plenty of times that you can access an area just by pulling on some doors and seeing which
[23:35.810 --> 23:39.890]  ones are unlocked, especially in larger buildings, ones that have a lot of doors and a lot of
[23:39.890 --> 23:43.750]  entrances. So, there's a lot of reasons why a door won't be locked,
[23:43.750 --> 23:47.910]  whether it's human error, so something like a worker propping it open and forgetting to unprop it,
[23:47.910 --> 23:51.910]  or someone leaving clutter at the door and that holds it open, or environmental,
[23:51.910 --> 23:55.870]  so whether there's a warped door frame, or the lock is broken, or there's simply no
[23:55.870 --> 24:00.350]  lock there at all, all of these can cause the door to not be locked.
[24:00.590 --> 24:03.650]  So, here's a really great example of what appears to be
[24:04.250 --> 24:07.950]  a lab, perhaps, of some sort, and someone seems to have propped the door open with
[24:08.130 --> 24:11.350]  a stool, despite the sign saying, keep this door closed.
[24:12.850 --> 24:16.010]  Here's another great example. So, this door seems
[24:16.010 --> 24:19.910]  to have some sort of concrete at the base, and so this
[24:19.910 --> 24:23.730]  prevents the door from closing at all, so this door is just
[24:23.730 --> 24:27.790]  permanently open and permanently unlocked for anyone to stroll in.
[24:28.210 --> 24:32.370]  Here's another example. There is simply no lock,
[24:32.370 --> 24:35.790]  and, again, anyone can just pull open the door and just
[24:35.790 --> 24:39.810]  walk in. Finally, let's talk about
[24:39.810 --> 24:43.890]  ceilings, windows, and going around. So, here's
[24:44.230 --> 24:47.790]  a clip from a while ago. We encounter this very large fence with
[24:47.790 --> 24:51.830]  barbed wire on top and everything, but it
[24:51.830 --> 24:55.770]  really didn't provide too much trouble. Like
[24:55.770 --> 24:59.790]  I mentioned before, it's very easy to gain access to areas through windows,
[24:59.790 --> 25:03.530]  especially if they're low to the ground. Here's a great example
[25:03.530 --> 25:07.750]  of a bypass. This is a ladder with a ladder cage around
[25:07.750 --> 25:11.810]  it, and if you look at the photo on the right, there is a ladder grate at
[25:11.810 --> 25:15.710]  the bottom, and what this does is it prevents people from being able to climb
[25:15.710 --> 25:19.590]  the ladder. Unfortunately, if you go around to the other
[25:19.590 --> 25:23.730]  side of the ladder, there's plenty of space between the ladder and the wall, and you
[25:23.730 --> 25:27.730]  can easily climb up it and get to wherever it is you want to go without
[25:27.730 --> 25:31.430]  ever having to interact with the ladder cage or the grate.
[25:32.570 --> 25:35.910]  In addition to that, you can always go through the ceiling.
[25:36.390 --> 25:39.950]  So, a lot of places nowadays have false ceilings,
[25:39.950 --> 25:43.690]  and very often the walls will not rise up past these false
[25:43.690 --> 25:47.650]  ceilings, meaning that it's very easy to go from room to room or hallway
[25:47.650 --> 25:51.750]  to room over the walls without ever having to interact with the
[25:51.750 --> 25:55.890]  door. So here's a really great clip from a while back.
[25:56.690 --> 25:59.590]  In this case, we were very fortunate that there was a ladder that
[25:59.590 --> 26:03.710]  led up to a upper hatch, but we were able to take advantage
[26:03.710 --> 26:08.270]  of this to gain access into a room next door.
[26:10.010 --> 26:11.630]  So as you can see, he's
[26:11.630 --> 26:15.930]  very, very carefully undoing the ceiling tile,
[26:15.930 --> 26:19.710]  the holds that keep it there, moving it to the side, and there he
[26:19.710 --> 26:23.730]  is. Now he has access to an area
[26:23.730 --> 26:27.530]  that he otherwise shouldn't simply by going into the ceiling
[26:27.530 --> 26:33.110]  and over the wall. So the thing to keep in mind
[26:33.110 --> 26:36.950]  with this, though, is you want to be very, very careful. There's a lot of places
[26:36.950 --> 26:41.150]  that you can't step or can't hold your weight, and when you're
[26:41.150 --> 26:44.810]  up in a fragile area like that, one wrong move can
[26:44.810 --> 26:47.150]  prove to be very dangerous.
[27:10.450 --> 27:11.430]  So again,
[27:11.430 --> 27:15.170]  you have to be very, very careful. You need to know where
[27:15.170 --> 27:20.030]  you can and can't step and which areas can and can't support your weight.
[27:20.050 --> 27:22.350]  So here's another great example.
[27:34.790 --> 27:37.790]  So you just want to always be careful
[27:37.790 --> 27:41.750]  whenever you're trying this kind of bypass method, or really any other type
[27:41.750 --> 27:45.490]  of bypass method, or this could happen.
[27:46.470 --> 27:49.430]  So that wraps up my presentation for today.
[27:49.450 --> 27:53.570]  At this point, I'll be able to take some questions. Some big takeaways, come
[27:53.570 --> 27:57.550]  try out some of our games at bypassvillage.org. We worked really, really
[27:57.550 --> 28:01.490]  hard on them to make sure that they were available and ready for you guys to try out and get
[28:01.490 --> 28:05.330]  that hands-on experience learning about physical bypass. And also come to the
[28:05.330 --> 28:09.770]  DIY Bypass Tools Workshop. So we'll have a lot of tools being made,
[28:09.770 --> 28:13.510]  it'll be a really fun time, it'll be using materials you probably already have at
[28:13.510 --> 28:17.870]  home, so you might as well. And then you can also try these things out at home.
[28:18.110 --> 28:21.730]  If you guys have any questions for me, we'll now be going into a Q&A
[28:21.730 --> 28:25.650]  session, a live Q&A session. And if you missed that
[28:25.650 --> 28:29.430]  and still have questions, feel free to send me an email or send me
[28:29.430 --> 28:33.570]  tweets at Quineb or at Bypass Village.
[28:33.730 --> 28:37.670]  Special thanks to Sunny, Ege, Bobby, Bill, and
[28:37.670 --> 28:41.330]  Paul for all of your help with getting footage, putting together
[28:41.330 --> 28:44.910]  photos, getting everything ready for this presentation.
[28:44.990 --> 28:46.170]  Thank you so much guys!
